[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access Control and LDAP schema
Dear All - one aspect of access control is the ability to define
permissions and denials at the attribute type and value level.
One area that could get messy - I perceive, is the way in which
the labels are applied in LDAP schema. Obviously if the issue is one of
storage methodology ie. is telephonenumber: 1234($home) just stored as a
complete string or are they (within the LDAP server) separated.
Naturally if they are all stored as a string together and access
controls are applied on $xxxx, $yyyyy - then substring searches will
have to be applied. This may work for sub 10,000 entry DSAs, but when
one hits millions or tens of millions of entries - string based labels
embedded in string based attribute values will hit hard.
With defined types (x.500 style) for phone numbers, etc and
defined contexts things seem to scale -
Has anyone done any modeling with LDAP servers re eg. 100,000
entries with five types of phone numbers in each entry - using the
$label mechanism, applying access control regimes with $label parameters
and seeing what happens on "get me all the Home phone numbers from
entries below xyz..
It would be a serious issue if the schema and access control
design of LDAP did not scale.
Thoughts are welcome.
regards alan